migrating Panorama from on prem to cloud
working with a client who wants to considering using SCM in cloud rather than Panoram on prem. Anyone else do this? any input or lessons learned?
u/_SleezyPMartini_ — 1 day ago
r/paloaltonetworks
Global Protect Preferred Version
What version of Global Protect do you really prefer and why?
We are running 6.2.8-h6 (c431), but I see 6.2.x ends in a little over a year, so in theory we should be going to 6.3.x at some point, yet I do not see a preferred release of it despite 6.3.x being released first in mid 2024.
What is going on and what do all of you prefer? I see that there are 6.3.x-(c1000+) now is why I am asking. Presumably there is something better or more secure. Can someone chime in?
Sources and background info for this question:
https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary
u/BluebirdExpress6279 — 1 day ago
Help understanding application behavior in policies
Hello,
This is driving me nuts and looking for some assistance. I recently set up a new policy (ID 188) and am having issues getting traffic to properly hit it and I am not sure why.
I have the two following policies configured:
Traffic matching policy 129 looks like the following:
Traffic matching policy 188 looks like the following:
On policy 188, I initially had it configured with application of 'ssl' and 'web-browsing' with service set to 'application-default' which didn't work. I then changed application to 'any' and set the services to 'tcp/443 and tcp/80' this didn't work either. I finally tried setting application to 'any' and services to 'any' and that is not working either!
It seems like maybe the initial handshake isn't completing or the firewall isn't seeing enough in the initial packet(s) to start looking further down the policy stack, but I am not sure why. I have other sites with the exact same set up using the application of 'ssl' and service of 'application-default' and those work just fine. Maybe I am just not understanding something correctly but I feel like I am going insane with this.
Thanks!
u/Littleboof18 — 21 hours ago
How to restore Palo Alto config from CLI output (non-XML format)?
Hi all, I did some research on this but can't seem to find an answer. I understand you can export the XML config from the firewall and import it back, but some of the tools I use take backups by running show config running which gives the JSON-like commands output. Is there a way to restore this config to the firewall, or do I need to have the XML file? TIA
u/vsurresh — 1 day ago
▲ 10 r/paloaltonetworks
Best practice for App filtering but allow almost everything
Hi,
We are running Palo Alto Firewalls as our main ips Firewall. Since the past years our strategy has been allowing port 80 and 443 and filter application SSL and web browsing. But nowadays we are dealing with lots of separate applications, for example AI applications or even websites like ecosia.org now have their own application signature. Our web browsing rule now has over 80 different apps in it and it's growing, resulting in many unwanted tickets for: please fix this web application access.
Is this how it's designed, or how we could build a rule that has more of a blacklisting approach than whitelist but without allowing harmful applications on 443?
Of course I could build 2 rules with disallow everything unwanted and a second allow rule with application any in it. But this doesn't filter anything I don't know about.
So basically our security policy is: everything that is HTML / a normal website, is okay, but we don't want to allow things like Teamviewer or ssh or any unknownen non Web applications
We are not allowed to do SSL inspection by the way
u/Drag0and1Drop — 1 day ago
▲ 64 r/paloaltonetworks
GlobalProtect broke after 11.1.13-h5 upgrade
Just wanted to give everyone else a heads up, after upgrading from 11.1.13-h3 to 11.1.13-h5 we were no longer able to connect to globalprotect gateways, it turns out that 11.1.13-h5 enables this setting by default: > show global-protect enable-auth-override-cookie-hmac > > Enable auth override cookie HMAC flag: yes
and if its not enabled every where (all portals and all gateways) it will cause 'cookie decrypt' errors when trying to connect to that gateway.
The fix was simple but annoying, after upgrading login to each firewall and issue the command or upgrade all firewalls at once and have this setting enabled everywhere > set global-protect enable-auth-override-cookie-hmac no
Edit: I checked with TAC based on comments and was told that this should only be used long enough to get everything upgraded, once upgrade the HMAC setting should be turned back on
u/jaaplaya — 2 days ago
GlobalProtect - excluding MS Teams media traffic _only_
Has anybody managed to successfully split exclude MS Teams media traffic (only) from the VPN?
From the Microsoft documentation, the items listed under ID 11 give some subnets and ports 3478-3481 for optimisation. This document shows that port 3478 is STUN, 3479 is Audio, 3480 is Video, 3481 is sharing/VBSS, so that is the traffic I'm interested in.
The first problem is that in the GlobalProtect configuration, you can only exclude specific ports by domain, not by IP address. And excluding the subnets entirely will exclude more than just media traffic.
Microsoft states in yet another article, alluding to this limitation and providing a workaround:
>Some VPN client software allows routing manipulation based on URL. However, Teams media traffic has no URL associated with it, so control of routing for this traffic must be done using IP subnets.
In certain scenarios, often unrelated to Teams client configuration, media traffic still traverses the VPN tunnel even with the correct routes in place. If you encounter this scenario, then using a firewall rule to block the Teams IP subnets or ports from using the VPN should suffice.
This workaround makes sense, we do that for Google Meet and it works well.
But this is the second problem, if I block GP traffic to those subnets on ports 3478-3481, the MS Teams client just falls back to SSL rather than seeking an alternative route. Interestingly, MS Teams in the browser (Chrome) does behave as expected when the traffic is blocked, and routes outside of the tunnel on the standard media ports. I guess that's a Microsoft problem with the Teams client.
So yeah, has anybody managed to exclude just the media traffic successfully for MS Teams, or do you just exclude everything per the Palo Alto documentation?
u/theleeski — 2 days ago
Thread ID 97011
Hello, since the last thread protection update we see that a lot of dhcp traffic is reseted by the firewall because of thread ID 97011 which is related to dlink dhcp problems. We dont use dlink devices at all. Does anyone have experienced similar topics?
u/ZheBockwurst — 2 days ago
Issues after migration from VMware to hyper-v
So we migrated our panorama instance from VMware to hyper-v. I took a configuration snapshot before I started. We exported the sc3 certificates. Followed the instructions from Palo Alto. Pretty much to a kept the same IP address and host name. Got it all loaded back up and the log collector doesn't seem to be displaying on the monitor tab. So I went and I looked at the log collector and the log collector. At first it was saying that there it was ingesting logs. Then after I messed with it a little bit it stopped ingesting logs. I rebooted panorama after doing a bunch of stuff and it seems like it's ingesting again. But still nothing is showing up on the monitoring tab. Anyone else seen this.
u/SwiftSloth1892 — 2 days ago
Active active deployment
Hello
I have active active deployment using floating ips and one of the vsys which active in the node 0(active primary) is the internet Vsys
From the active secondary(node1) i cant reach the internet using its interface a ping source
I need to get updates from updates.paloalto.com
Also i cant even ping google.
So the internet vsys should be active on the secondry firewall in order to for it reach the internet ?
u/Dry_Sound_7748 — 2 days ago
Upgrade from 10.2.16-hX to 10.2.16-h7 to address all the recent CVEs
Hello,
Since 10.2 EOL has just been extended. We haven't decided whether to go to 11.1 or 11.2. The safety bet maybe just upgrade to the latest hotfix version.
We have both 5400 chassis and 5400f, 3410, 52x0, 4x0 series. No VM.
Why pick 11.1 not 11.2? Both have the same end-of-support date [off by 1 day]? TIA!
u/kb46709394 — 3 days ago
▲ 17 r/paloaltonetworks
Important Update: GlobalProtect 6.3.3-h10 (c1011) Release Availability
Palo Alto Networks has proactively removed GlobalProtect version 6.3.3-h10 (c1011) for Windows and macOS from the Customer Service Portal, Next-Generation Firewall, and Prisma Access.
Why this change is happening
During routine monitoring, we identified stability concerns with the 6.3.3-h10 (c1011) build on Windows and macOS only. To ensure the highest level of performance and reliability for your environment, we have paused its availability.
Summary of Details
- Affected Version: GlobalProtect 6.3.3-h10 (c1011)
- Impacted Platforms: Windows and macOS only
Recommended Next Steps
For customers currently running version 6.3.3-h10 (c1011) for the fix CVE-2026-0251 or otherwise: We advise planning an upgrade to our upcoming release, GlobalProtect 6.3.3-h11, as soon as it becomes available.
Our Solution & Timeline
Palo Alto Networks is actively finalizing the GlobalProtect 6.3.3-h11 build for Windows and macOS to resolve these stability concerns.
- Target Release Date: May 20, 2026
We appreciate your patience and understanding. If you have any immediate questions or need assistance, please reach out to our Support team.
u/SnooDucks511 — 3 days ago
▲ 13 r/paloaltonetworks
Sectigo and Global Protect
We are currently looking at the possibility of using Sectigo or SCEP to automate our Global Protect certificates but the problem we are running into is that the Portal and Gateway configs have pointers to the cert so the whole process cannot be automated or can it? Has anyone been doing anything like this?
u/vinxavi7 — 3 days ago
Global Protect
Hi Guys,
I’m looking for a solution to restrict Linux endpoints from connecting through GlobalProtect.
Has anyone implemented this before or have any recommendations/best practices? Any advice would be appreciated.
Thanks
u/alohalou — 3 days ago
Global protect
Hi guys,
Is there any way to check how many Linux endpoints are using the GlobalProtect VPN?
I’m trying to identify users connecting from Linux machines.
u/alohalou — 3 days ago
Company GlobalProtect / T-Mobile 5g
Any one run into the same issue whose work laptop utilizes GlobalProtect VPN and can’t access company programs unless it’s on and T-mobile 5g home internet.
Company IT team says it’s tmobiles fault.
T-Mobile says settings can’t be changed.
Please please help me out. Need to do my work.
For those with this issue how did you fix it?
u/Cautious-Froyo8959 — 3 days ago
Microsoft Intune and Global Protect?
Hello,
Have you tried integrating Intune with Global Protect? I know its pretty lazy question, but it would be very helpful if someone did it.
u/77necam77 — 4 days ago
▲ 21 r/paloaltonetworks
PAN-OS 11.1.7-h6, 11.1.10-h26, 11.1.13-h6, 11.2.4-h17, 11.2.7-h15 & 11.2.10-h8 are now available
Here we go again.
docs.paloaltonetworks.com seems to be DoS'ed out, so heavens know what they have fixed today.
u/justlurkshere — 4 days ago
▲ 11 r/paloaltonetworks
PAN-OS 11.1.7-h6, 11.1.10-h26, 11.1.13-h6, 11.2.4-h17, 11.2.7-h15 & 11.2.10-h8 are now available!
Seems like just 8 days ago the last hotfixes came out. We have the last releases in Test, but haven't rolled to Prod. Guess we'll be skipping the last and going to these.
The PAN-OS 11.1.7-h6, 11.1.10-h26, 11.1.13-h6, 11.2.4-h17, 11.2.7-h15 & 11.2.10-h8 software updates are now available on the Palo Alto Networks Software Updates page.
Check out the following Release Notes for release details, including the new features and bug fixes that make the upgrade worthwhile:
11.1.7-h6(Long list of CVEs)11.1.10-h26(fixes for Eth1/1 data port and PoE ports, don't use -h25)11.1.13-h6(fixes for Eth1/1 data port and PoE ports, don't use -h5)11.2.4-h17(Long list of CVEs)11.2.7-h15(fixes for Eth1/1 data port and PoE ports, don't use -h14)11.2.10-h8(fixes for Eth1/1 data port and PoE ports, don't use -h7)
CVEs:
u/Sure-Squirrel8384 — 4 days ago
What is significance of these symbols in Palo Alto Firewall ?
u/SnooCats5309 — 4 days ago